malwarewikiaorg_it-20200215-history
Software Antivirus
Un Software Antivirus (conosciuto anche come anti-virus o AV) è un software utilizzato per rilevare e rimuovere i virus informatici, così come molti altri tipi di software nocivi, collettivamente conosciuti come malware. Mentre i primi software antivirus erano progettati esclusivamente per combattere i virus informatici (quindi "Antivirus"), i software antivirus moderni sono in grado di proteggere i sistemi informatici contro una vasta gamma di malware, inclusi worm, phishing, rootkit, trojan, e alcune suite di sicurezza che possono fornire altri programmi di protezione come TuneUps, configurare una Virtual Private Network (VPN), ed altro. Essi sono per lo più costruiti per gli utenti di Microsoft Windows poiché Windows è la piattaforma più vulnerabile. Tuttavia, non importa il sistema operativo, se disponibile, si consiglia di utilizzare un antivirus. A volte, quando l'utente acquista un nuovo computer avrà un antivirus pre-installato, e se l'utente ne acquista uno con Windows 8 o superiore, avrà anche una versione più forte di Windows Defender (come Windows Defender su Windows 7 e le versioni precedenti rimuove solo gli spyware). Non si consiglia di eseguire più programmi antivirus in tempo reale in una sola volta, ciò può rallentare il computer dell'utente e anche entrare in contrasto con l'altro. Metodi di identificazione Rilevamento basato sulla firma La rilevazione basata sulla firma è il metodo più comune utilizzato dai software antivirus per identificare un malware. Questo metodo è in qualche modo limitato dal fatto che può identificare solo i virus noti, a differenza di altri metodi. Quando il software antivirus analizza un file, controlla il contenuto con un dizionario contenente le firme dei virus. A virus signature is the viral code. So, saying the user found a virus signature in a file is the same as saying the user found the virus itself. If a virus signature is found in a file, the antivirus software can take action to remove the virus. Antivirus software will usually perform one or more of the following actions; quarantining, repairing, or deleting. Quarantining a file will make it inaccessible, and is usually the first action antivirus software will take if a malicious file is found. Encrypting the file is a good quarantining technique because it renders the file useless. Sometimes a user wants to save the content of an infected file (because viruses can sometimes embed themselves in files, called injection.) To do this, antivirus software will attempt to repair the file. To do this, the software will try to remove the viral code from the file. Unfortunately, some viruses might damage the file upon injection, which means repairing will fail. The third action antivirus software can take against a virus is deleting it. If a file repair operation files, usually the best thing to do is to just delete the file. Deleting the file is necessary if the entire file is a virus. Because new viruses are being created each day, the signature based detection approach requires frequent updates of the virus signature dictionary. To assist the antivirus software companies, the software may allow the user to upload new viruses or variants to the company. There, the virus can be analyzed and the signature added to the dictionary. Signature-based antivirus software typically examines files when the computer's operating system creates, opens, closes, or e-mails them. In this way it can detect a known virus immediately upon receipt. System administrators can schedule antivirus software to scan all files on the computer's hard disk at a set time and date. Although the signature based approach can effectively contain virus outbreaks in the right circumstances, virus authors have tried to stay a step ahead of such software by writing "oligomorphic", "polymorphic" and, more recently, "metamorphic" viruses, which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match virus signatures in the dictionary. An emerging technique to deal with malware in general is whitelisting. Rather than looking for only known bad software, this technique prevents execution of all computer code except that which has been previously identified as trustworthy by the system administrator. By following this "default deny" approach, the limitations inherent in keeping virus signatures up to date are avoided. Additionally, computer applications that are unwanted by the system administrator are prevented from executing since they are not on the whitelist. Since modern enterprise organizations have large quantities of trusted applications, the limitations of adopting this technique rests with the system administrators' ability to properly inventory and maintain the whitelist of trusted applications. Viable implementations of this technique include tools for automating the inventory and whitelist maintenance processes. Suspicious behavior monitoring The suspicious behavior approach, by contrast, does not attempt to identify known viruses, but instead monitors the behavior of all programs. If one program tries to write data to an executable program, for example, the antivirus software can flag this suspicious behavior, alert a user, and ask what to do. Unlike the signature based approach, the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. However, it can also sound a large number of false positives, and users may become desensitized to the warnings. If the user clicks "Accept" on every such warning, then the antivirus software obviously gives no benefit to that user. In recent years, however, sophisticated behavior analysis has emerged, which analyzes processes and calls to the kernel in context before making a decision, which gives it a lower false positive rate than rules based behavior monitoring. Heuristics Some more sophisticated antivirus software uses heuristic analysis to identify new malware. Two methods are used; file analysis and file emulation. As described above, file analysis is the process by which antivirus software will analyze the instructions of a program. Based on the instructions, the software can determine whether or not the program is malicious. For example, if the file contains instructions to delete important system files, the file might be flagged as a virus. While this method is useful for identifying new viruses and variants, it can trigger many false alarms. The second heuristic approach is file emulation. By the this approach, the target file is run in a virtual system environment, separate from the real system environment. The antivirus software would then log what actions the file takes in the virtual environment. If the actions are found to be damaging, the file will be marked a virus. But again, this method can trigger false positives. See also * Rogue software References External links * Best Antivirus Reviews